Closed skensita closed 1 year ago
Nice findings!
But I think that multiple submitted issues like this, #400 and #401 resulted from a single stack-based buffer overflow in dump_compact_short_term_ref_pic_set() (that is exist due to integer overflow in read_short_term_ref_pic_set()). Please, check if my commit at #402 fixes this vulnerabilities and let me know
I agree with you. stack-based buffer overflow in #399, #400 and #401 can be resolved with #402 fixes. And #402 fixes also address #398.
Tested version: libde265 v1.0.11
Description of the bug: Stack buffer overflow is triggered when processing a crafted hevc file, leads to code execution. This can be used for local or remote code execution.
Steps to reproduce the bug: Compile with Address Sanitizer (ASan) : ./hdrcopy ./74e8de752b8fb1c6ad0d9b7afe0b711106ff4efa
Address Sanitizer log:
Please check the attached POC.
74e8de752b8fb1c6ad0d9b7afe0b711106ff4efa.zip